background
A group after many years of operation, the company's business and scale in the continuous development, the company's management and IT departments also recognize that through information technology can better support the company's business operations, improve the efficiency of enterprise production and management. With the completion of new office buildings, research and development buildings and workshops, IT departments need to plan and build the entire group's information and enterprise IT infrastructure. It is divided into the following two parts:
Building Intelligent Planning and construction program: mainly include video surveillance, access control systems, voice and data node planning and cabling, CATV, large-screen electronic display, computer room construction.
Enterprise IT Infrastructure planning and solution: mainly include enterprise LAN basic network topology planning and network equipment selection, Internet access and VPN access, it hardware deployment and selection, enterprise IT Information infrastructure software system planning and selection.
This program is mainly for a group of enterprise IT Infrastructure planning, and propose solutions and investment budget. And the plan of Building intelligent planning and construction, see other related programs.
Enterprise IT architecture
General Enterprise IT architecture situation, the program is mainly for the IT infrastructure part of the planning, and provide selection and deployment of reference, about the enterprise IT business application system part of the planning and construction, please refer to other solutions.
Network system Planning
At present, enterprises generally can give limited input to information. In addition to limited manpower, but also lack of professional personnel, application capacity, maintenance capacity, development capacity, implementation capacity are generally weak, which requires network architecture mature, stable and safe, high reliability, high availability, as little as possible to invest in human and money for maintenance. Secondly, because the enterprise is the first to solve the problem of survival, there is no way to achieve "first information, then do business", so the implementation of network construction requirements must be easy, implementation time must be very short.
The main elements of enterprise's networking solution include: LAN, WAN connection, network management and security. Specifically, enterprise networking needs:
? Establish a secure network architecture, network connection between headquarters and branch offices;
? Secure network deployment, ensure the normal operation of the enterprise;
? Provide IPSec or SSL VPN mode for the person on the trip;
? Provide intelligent management features, support browser graphics management;
? The network design facilitates the upgrade, facilitates the investment protection.
Enterprise General network structure, such as the core layer of large enterprise networks generally use redundant nodes and redundant lines of the topology, small enterprises are the single-line connection mode.
By analyzing the information situation of general enterprises and the elements of network planning, the planning scheme must have the following characteristics:
? Network management is simple, using an easy-to-use browser approach to the intuitive graphical interface to manage the network.
? Users can use a wide range of WAN connections to reduce WAN link costs.
? Wireless access point covers a wide range, flexible configuration, convenient mobile office.
? Convenient and simple unified communication system, easy to achieve interactive work environment.
? Bandwidth compression technology, the application of advanced QoS, effectively reduce WAN link traffic.
? With the development of the company's business, all network equipment can continue to use after upgrading the original network, effectively realize investment protection.
? system security, high confidentiality, the application of enterprise-appropriate low-cost network security solutions.
Security Infrastructure Network planning Party case
According to the actual investigation of a certain group, we obtain the network demand of the enterprise, so as to make the basic network construction plan and the network equipment selection reference; The following provides both the basic and Enterprise editions of the planning scheme
1) Network requirements:
Enterprise Planning Network node for 500, the main network needs first is the resource sharing, the network of various desktop users can share file server/database, shared printer, to achieve the functions of office automation system; Next is the communication service, the end user can send and receive e-mail through WAN connection, realize the Web application , access to the Internet, secure WAN access, as well as the establishment of the company portal and network communication system (Enterprise mailbox, enterprise instant Messaging and enterprise SMS platform, etc.).
2) Basic version planning scheme
This scheme is suitable for 200~300 computer network, the core adopts h3c S5500-28c-si or s5500-20tp-si switch, with gigabit twisted pair/fiber connected with access switch and server; user Access h3c S3100-26tp-si or S3100-52tp-si switches, Gigabit copper/fiber-connected core switches. Internet egress uses the H3C msr20-1x multi-service router as the Internet egress route, Secpath f1000-c, or UTM as the VPN access gateway for security gateways and mobile users. The network topology diagram is as follows:
The equipment selection and deployment reference is as follows:
Business |
Demand |
Equipment Selection Reference |
Configuration Instructions |
Number |
Deployment location |
Data |
Core Switches |
H3C S5500-28c-si or H3C S5500-20tp-si |
Full gigabit three-layer core |
1 |
Core Room |
Access Layer Switches |
H3C S3100-26tp-si or H3C S3100-52tp-si |
The access layer supports photoelectric multiplexing Gigabit uplink, Supports hybrid stacking |
26tp:15 Station 52tp:8 Station |
Each floor or room |
Router |
H3C msr20-1x Router |
Forwarding rate 160kpps,256m memory, support GE/FE switch module, with asynchronous serial module, E1/PRI module, voice module, encryption module |
A |
Core Room |
Safety |
Firewall |
H3C Secpath f1000-c or h3c secpath U200 |
Support the application of beginning text filtering |
1 |
Core Room |
Vpn |
Support Dvpn |
Internet access |
10M Fiber Access |
Telecom 10M Fiber Access |
With static IP address |
A |
Core Room |
Program Features:
? Cost-effective: To enable small and medium enterprises to invest in high-performance, economic network;
? Simplicity: Simple structure, fast installation, simple maintenance, no need to configure full-time personnel;
? High performance: the lowest investment to achieve gigabit backbone, hundred trillion access;
? Scalability: A flexible network architecture that can be extended at any time and protected against existing investments.
3) Advanced Planning Program:
The program is applicable to 500~800 computer networking, three-layer network structure, gigabit backbone, hundred gigabit access, the network core layer adopts H3C S7500 switch, and the corresponding number of gigabit ports are connected to application server, access switch and other devices respectively; The network aggregation layer uses H3C S5500-28c-si, a unique intelligent stacking system for high-density Gigabit port access, full-duplex stacking bandwidth of up to Gigabit Gbps, eliminates network bottlenecks and provides better availability and resiliency over traditional trunking aggregation configurations Access layer selectable H3CS3100-26TP-SI or s3100-52tp-si switches, Gigabit copper/fiber-connected core switches, or H3C s5100-16/24/48p-si All-Gigabit switches, gigabit to desktop. The network topology diagram is as follows:
The equipment selection and deployment reference is as follows:
Business |
Demand |
Equipment Selection Reference |
Configuration Instructions |
Number |
Deployment location |
Data |
Core Switches |
H3C S7500 (E) series |
Core support dual engine dual power supply, the most cost-effective |
1 |
Core Room |
converged Layer Switches |
H3C S5500-28c-si |
Converge to support all-gigabit high-speed forwarding, eliminating network bottlenecks while supporting gigabit expansion |
3 |
Each floor or room |
Access Layer Switches |
H3C S3100-26/52tp-si or H3C S5100-16/24/48p-si |
Access layer offers both Gigabit and gigabit access options based on different business needs |
52tp:10 Station |
Each floor or room |
Router |
H3C msr50-06 Router |
H3C New Generation Secure router |
A |
Core Room |
Safety |
Firewall |
H3C Secpath f1000-c |
Support the application of beginning text filtering |
1 |
1 |
Vpn |
Support Dvpn |
Internet access |
20m~50m Fiber Access |
Telecom 20m~50m Fiber Access |
With static IP address |
A |
Core Room |
Program Features:
? High performance, fully distributed switching network;
? High reliability, uninterrupted communication environment;
? Flexible network expansion capability;
? High efficiency of network bandwidth utilization;
? Comprehensive QoS deployment, multi-service integration;
? Perfect network security policy, to achieve deep security detection, to protect against unknown risks.
Secure wireless network planning scheme
The deployment of wireless networks can increase the range of employee access networks and provide greater accessibility-whether in the office, in the boardroom or in a complex space, employees can stay connected to the network, Access enterprise resources anytime, anywhere, and simplify network cabling at the site. Secure wireless network solutions not only improve staff productivity and collaboration, but also provide convenient internet access for partners/customers. Depending on your business situation, you can use the FAT AP scenario:
1) wireless network requirements:
Can obtain the high user access rate, constructs the convenient mobile office environment, realizes the Enterprise mobile network Office, the cost investment is not high, is suitable for the simple, the small scale wireless deployment.
2) Planning Scheme:
The use of Wa1208e+imc+cams for networking, with CAMS to achieve 802.1X certification, can be achieved based on time, traffic and monthly billing, the whole network through IMC Unified management. The network topology diagram is as follows:
The equipment selection and deployment reference is as follows:
Business |
Demand |
Equipment Selection Reference |
Configuration Instructions |
Number |
Deployment location |
Wireless |
Wireless access |
wa1208e |
Dual 802.11g Wireless Module |
8 |
Each floor |
Wireless Security |
H3C CAMS |
Meet the requirements of user management, identity authentication, authority control and billing |
1 |
Core Room |
Wireless Management |
H3C IMC Network Management system |
Support integration with HP Openview, SNMPC and other common network management platforms |
1 |
Core Room |
Program Features:
? Fully support 802.11i security mechanism, 802.11e QoS mechanism, 802.11f L2 switching mechanism;
? Wide coverage: High reception sensitivity to -97dbm (ordinary ap-95dbm), to ensure further coverage;
? Multi-VLAN Support: Virtual AP mode supports multi-VLAN, up to 8 virtual SSID VLAN partition, each VLAN user can authenticate independently;
? Use as a bridge: WDS mode supports PTP, ptmp operation mode, supports connection rate lock, transmit message integration, and improves transmission efficiency;
? Load balancing: Supports load balancing based on the number of users, traffic-based load balancing;
? Specific models are available for all types of outdoor, special indoor applications such as warehouses and other complex environments.
WAN Interconnection VPN Planning scheme
With the continuous expansion of enterprises and companies, the distribution of branches and customers increasingly dispersed, more and more partners, more and more modern enterprises urgently need to use public Internet resources for promotion, sales, after-sales service, training, cooperation and other advisory activities, which has laid a broad market for VPN applications. In the VPN mode, the VPN client and VPN gateway set up at the internal network boundary Use Tunneling protocol to establish a "tunnel" as the transmission channel using the Internet or public network, while the VPN connection uses the technology of authentication and data encryption to prevent the data from being intercepted and tampered with during transmission. To ensure the integrity, confidentiality and legitimacy of the data. By means of VPN, enterprises can use the existing network resources to realize the access of remote users and branch offices to internal network resources, not only save a lot of money, but also have high security.
In addition, with the expansion of enterprise scale, decentralized office is becoming more and more common, how to realize the small branch, travel staff, partners Remote network access is also more and more enterprises concerned. From a combination of cost, ease of use, and ease of management, SSL VPN is undoubtedly the most appropriate solution: simply deploying a single device at Headquarters is less costly and easy to manage and maintain, without having to install the client, configure it, and log on to the Web page.
1) Network requirements
1IPSEC VPN and SSL VPN have their own strengths and complement each other and are needed for the enterprise: IPSec VPNs are used for Headquarters and medium-to-large branch interconnects, and SSL VPNs are used to provide remote network access to small branches, partners, and travelers. But the traditional method, the enterprise headquarters need to purchase two devices to support two kinds of VPN, not only higher cost, and there may be VPN policy conflict, resulting in performance degradation, management difficulties.
2) Planning Scheme
converged VPN for the actual needs of enterprises, a device fusion Ipsec/ssl two kinds of VPN, just deployed at Headquarters, can be used for partners, travel personnel to provide remote network access, but also with the branch office IPSec VPN interconnection, help enterprises reduce procurement, deployment, maintenance three aspects of cost.
VPN Gateway choice aspect, H3C's firewall, the router can realize the fusion VPN, provides the enterprise more flexible choice. For example, if the enterprise attaches great importance to network security, VPN performance, the choice of firewall, if the enterprise more attention to multi-service processing capacity, such as IP voice communications, 3G Internet, wireless access, etc., it is recommended to select a router.
Configure one or two dual-machine hot-standby VPN gateways behind the headquarters LAN Internet Perimeter firewall and configure a VPN gateway behind the branch office Internet Perimeter firewall to establish an IPSec VPN tunnel for data encapsulation, encryption, and transmission at both ends of the VPN gateway; Provide SSL VPN access service through the VPN gateway at Headquarters, deploy the H3C VPN Manager component in the Headquarters LAN data Center, realize the deployment management and monitoring of VPN gateway, deploy H3C bims system on the intranet or Internet boundary of the headquarters LAN. Enables automatic configuration and policy deployment of branch Office VPN gateway devices. Such as:
The equipment selection and deployment reference is as follows:
Business |
Demand |
Equipment Selection Reference |
Configuration Instructions |
Number |
Deployment location |
Network interconnection |
VPN gateways |
H3C Secpath F1000vpn Gateway H3C Secpath F100 VPN Gateway Or H3C MSR50 Router H3C msr20-1x Router |
Headquarters and large organizations configuration F1000 models Small and medium size organization F100 model |
Headquarters 1 Units Branch offices configured on demand |
Core Room |
Network management |
H3C VPN Manager H3C Bims |
Help users deploy and manage VPN networks |
1 |
Core Room |
If the branches in the province are more dispersed, but the rate requirements are not high chain units, can also choose telecommunications or ISP VPDN services;
MPLS VPN service for telecom or ISP can also be used directly if there are multiple point-to-multipoint communication needs between the branch offices and businesses.
Network Performance metrics requirements
Type |
Bandwidth requirements |
Line Quality requirements |
Lan |
Client to server: 10Mb or above, 100Mb recommended Between servers: 200M or above, recommended 1000Mb |
Packet loss rate less than 0.1% Delay less than 20ms |
Wan |
Branch office Bandwidth: 128KB per client Headquarters Export Bandwidth: (max concurrent number/3) x128kb Between Headquarters servers: 200M or above, recommended 1000Mb |
Packet loss rate less than 2% Delay less than 50ms |
Network Security Planning
Network security is the basis of the security operation of the whole system and the key to ensure the safe operation of the system. The security requirements for network systems include the following:
? Network Boundary security Requirements
? Intrusion monitoring and real-time monitoring requirements
? Analysis of response and processing requirements for security incidents
The different combinations of these requirements on various application systems require that the network be divided into different levels of security.
Our security policy for enterprise network layer adopts hardware protection and software protection, static protection and dynamic protection, and the overall strategy of multi-level protection.
Depending on the security requirements and the purpose of the application system, the entire network can be divided into six different levels of security. The specific is:
? Core layer: core database;
? Security Layer: Application Information System middleware server and other applications;
? Basic Security layer: internal LAN users;
? can trust layer: The company headquarters and Sales Department network access interface;
? Hazardous layer: Internet.
The security requirement and security level in each security domain of information system are different, the security of network layer is mainly to establish effective security control measures between each security area, so that the access between the network is controllable. The specific security policy is as follows:
Core database with physical isolation policy
The application system adopts the layered architecture, the client only needs to access the middleware server for daily business processing, and the database server can not be accessed physically directly, which guarantees the high security of the core layer data.
The application System middleware server adopts the comprehensive security policy:
The security hidden trouble of application system middleware mainly comes from inside LAN, in order to guarantee the security of middleware service of application system, the security isolation between each security area, user and security domain can be implemented by dividing virtual subnet in local area network, providing the access control ability between subnets. At the same time, the middleware server itself can be configured with the appropriate security policies, to limit the authorized workstations, users can access system services, to ensure the security of the middleware server;
Internal LAN takes information security policy:
Company headquarters and sales department internal LAN in the basic security layer of the network, mainly for the weak security protection of the end user in use, so the focus is on two aspects, one is the client's virus protection, and the other is to prevent internal sensitive information leakage. Therefore, through the selection of network antivirus software to achieve the virus protection of internal LAN, at the same time, the use of private network security equipment (such as hardware firewall) to establish effective security protection, through access control ACL and other security policy configuration, effectively control the internal end user and external network information exchange, to achieve internal LAN information security.
The network interface between the company headquarters and subordinate agencies adopts communication security policy:
In the network of trusted layer, its security mainly consider the security of business data uploaded by each subordinate unit, so it can use data layer encryption, encrypt the VPN tunnel provided by hardware firewall, and realize the safe transmission of critical sensitive information on WAN communication channel.
Internet To take a communication encryption policy:
The internet is a non-security layer and a dangerous layer, because there are a lot of malicious attacks on the Internet, so the focus is to avoid the flow of the secret information at this level. The hardware firewall provides professional network protection capability, and all access requests are tightly controlled, and all data communication is encrypted and transmitted.
At the same time, it is recommended to set strict computer room management system, prohibit non-authorized personnel into the room, but also can further improve the security of the entire network system.
1) WAN Security Planning
Enterprise WAN security, mainly through firewalls and VPNs and other equipment or technology to protect.
Firewall to the network traffic through its scanning, can filter out some attacks, the firewall can also close the unused port, the firewall has a good protection, the intruder must first cross the security line of the firewall to reach the target computer, so for security reasons, the enterprise must purchase a firewall to ensure its server security , place the application system server in a dedicated zone inside the firewall. General hardware firewall than the performance of the software firewall is better, it is recommended to choose Enterprise-class hardware firewall, hardware firewall market awareness of the brand has Cisco, Check Point, Juniper, h3c, Tian Rong letter, Huawei Symantec, Lenovo Network, etc. The user should choose the appropriate firewall according to the application situation.
A VPN, Virtual private Network (Networks), provides a technology for establishing secure private connections through public, non-secure media, such as the Internet. Using VPN technology, even confidential information can be transmitted securely through public non-secure media. The development and maturity of VPN technology can provide a ubiquitous, reliable and secure data transmission network for business operation. VPN creates a secure connection channel through a secure tunnel that interconnects branch offices, remote users, partners, and corporate networks to form an extended enterprise network.
VPN Basic features:
? Enables businesses to enjoy the same security, reliability, and manageability that they have in a private network.
? Flexible network architecture-seamlessly extends your intranet to remote offices, mobile users, and remote workers.
? Enterprise Partners, suppliers, and key customers (establishing green information channels) can be connected through an extranet to improve customer satisfaction and reduce operating costs.
VPN Implementation method:
? Hardware Device: Router with VPN function module, firewall, special VPN hardware device, etc., such as Cisco, H3C, deep convincing, Tian Rong letter, etc.
? Software implementation: Windows comes with PPTP or L2TP, third-party software (such as checkpoint, deep conviction, etc.).
? Service provider (ISP): China Telecom, Unicom, Netcom and so on. At present, some ISPs have introduced MPLS VPN, the line quality is more guaranteed, recommended to use.
2) intranet Security Planning
Enterprise intranet security system includes anti-virus system, intranet security management system, Internet behavior management system and so on.
Anti-virus system can use the network version of Anti-virus system or officescan products such as Jinshan, Rising, Kaspersky and other solutions.
Intranet security system and Internet Behavior Management system can choose deep convincing, Ninko, Ip-guard and other solutions, enterprises can deploy intranet security system to achieve research and development network and business information security prevention work. The unified and coordinated configuration of information security, centralized data storage and computing resources for research and development networks can be implemented by deploying Enterprise Desktop virtualization solutions.
First here today, I hope you have a reference, you may be interested in the article:
Customer analysis process for catering industry solutions
Purchasing strategy formulation and implementation process for catering industry solutions
Business design process for catering industry solutions
Supply Chain Demand Research checklist
Evolution of real-time measurement system of enterprise application performance
If you want to know more software, System IT, enterprise information information, please follow my subscription number:
Petter Liu
Source: http://www.cnblogs.com/wintersun/
This article is copyright to the author and the blog Park, Welcome to reprint, but without the consent of the author must retain this paragraph, and in the article page obvious location to the original link, otherwise reserves the right to pursue legal responsibility.
The article was also published in my Independent blog-petter Liu blog.
IT Infrastructure planning scenario one (network system planning)